Latest Blog Posts

Public Service Announcements will include valuable security related information regarding TYPO3 products or the typo3.org infrastructure.

Topics of these advisories will include security issues in third party software like e.g. Apache, Nginx, MySQL or PHP that are related to TYPO3 products, possible security related misconfigurations in third party software, possible misconfigurations in TYPO3 products, security related information about our server infrastructure and important advices how to securely use TYPO3 products.

In TYPO3 CMS, protection against CSRF has been implemented for many important actions (like creating, editing or deleting records) but is still missing in other places (like Extension Manager, file upload, configuration module). The upcoming 6.2 LTS version will finally close this gap and will protect editors or administrators from these kind of attacks. Since this kind of security improvement cannot be done without potentially breaking third party extensions, this additional security feature will only be part of TYPO3 CMS 6.2 and will not be backported to older versions.Solution: Since user action is always involved in this attack technique the risk can be mitigated greatly by not using the default web browser to log into a TYPO3 Backend and always log out once the work is finished.

Tiki 12.x is our next Long Term Support (LTS) version and it will be supported for 5 years (until 2018). The Tiki community and especially the test and development team have done (and are still doing ;) some awesome work to deliver a very stable version of Tiki.